Blog by Luke Li

Hacking Venmo’s $1M Money Tree Giveaway with Javascript and Chrome

Venmo is a payment system designed for mobile devices that makes it easy to pay or transfer money over to friends (venmo.com).

Venmo’s currently having a promotion on moneytree.venmo.com where they’re giving 1 million dollars in total to new Venmo users who play their game. The game is pretty self-explanatory: you have 10 seconds to click on leaves falling from the “money tree”, each green leaf clicked gets you 10 cents and each blue leaf clicked gets you 20 cents.

After you’re done, you can share the game with friends to continue playing or collect your winnings (if you’re a new visitor) by giving Venmo your phone number and installing the Venmo app:

I noticed that the game was created with Javascript and not Flash, so I thought that I could hike up my game score pretty easily by changing the javascript in the page. Chrome Developer Tools makes it pretty easy to do this by allowing you to live-edit javascript of a page and see its results in the browser (which is really cool), so I tried a little proof-of-concept to see what I could do with Venmo’s game.

First, I opened up chrome’s dev tools and went to the “Sources” tab to change the javascript. leaves_falling.js seemed like a good place to look:

Particularly, the very last function of leaves_falling.js (at the very end/right of the file) seems intriguing:

Before editing the file, I set a breakpoint on the first line (only line!) of leaves_falling.js to halt any code execution before I modified the javascript. The line number turns blue if a breakpoint is set:

Refreshing the page, we get the expected “paused in debugger” message:

I then edit the return_points function in leaves_falling.js to return a high score for me: let’s return 1000 times what the original score would have been:

We save the file (Ctrl+S) and continue after the breakpoint by pressing the “unpause” button in the browser. This time when we play the game, clicking one leaf stops the game immediately and we get this message:

Venmo seems to stop the game immediately if you go over $5.00, but if you notice at the bottom of the image, I did receive 10,000 points for the game, showing that the javascript change worked. I’m pretty confident that further digging from someone would allow you to increase the “max payout” of the game with a similar technique, but I’m confident that Venmo confirms this server side as well to prevent payouts larger than $5.00 from happening. Venmo probably doesn’t consider this a “vulnerability” in any sense as well; they’re willing to give $5.00 in order to obtain a new customer, as they’ve shown in previous referral promotions in the past (sign up a friend and receive $5.00 in Venmo credit). Still, as a proof-of-concept, its pretty cool as a demonstration of how live-editing javascript with Chrome’s dev tools works, and is a nifty way to get their max payout ($5.00), which is almost impossible to do via playing the game. I’ve used this technique before to get obscenely high scores in games made in javascript- comment and let me know if you’ve live-edited javascript with Chrome’s dev tools before and why!